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Abstract 


Consider a network of four processors that use the Oral Messages (Byzantine Generals) algorithm of Pease, 
Shostak and Lamport to achieve agreement in the presence of faults. Bevier and Young have published a 
functional description of a single processor that, when interconnected appropriately with three identical 
others, implements this network under the assumption that the four processors step in synchrony. By 
formalizing the original Pease, Shostak and Lamport work, Bevier and Young mechanically proved that 
such a network achieves fault tolerance. In this paper we develop, formalize and discuss a hardware design 
that has been mechanically proved to implement their processor. In particular, we formally define mapping 
functions from the abstract state space of the Bevier-Young processor to a concrete state space of a 
hardware module and state a theorem that expresses the claim that the hardware correctly implements the 
processor. We briefly discuss the Brock-Hunt Formal Hardware Description Language which permits 
designs both to be proved correct with the Boyer-Moore theorem prover and to be expressed in a 
commercially supported hardware description language for additional electrical analysis and layout We 
briefly describe our implementation, which actually takes the form of a hardware design generator which 
produces a design as a function of the desired word size. We exhibit the theorem that establishes that the 
generator is correct We exhibit the instance generated for sense data of width 8, in the syntax of NDL, a 
hardware description language supported by LSI Logic, Inc. We exhibit some results of processing the 
verified design with commercially available tools. We discuss two unrealistic aspects of our verified 
design, (a) The use of parallel instead of serial io requires an excessive number of pins, (b) The 
assumption that all four processors step in synchrony is implemented by having them share a common 
clock — introducing an unacceptable single-point failure mode. 

Keywords: hardware verification, fault tolerance, Byzantine agreement. Oral Messages algorithm, 
automatic theorem proving, Boyer-Moore logic. 
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1. Background 

In [1] Bevi-r and Young describe a formalization of the “Oral Messages” (or “Byzantine Generals”) 
algorithm ol Pease, Shostak and Lamport [51 and a functional description of a processor liiat implements 
the algori 'ir.; in the case of a four processor network. They use the Boyer-Moore theorem prover, 
NQTHM I'll. to check the Pease-Shostak-Lamport theorem and to prove that their abstract processor 
correctly implements the algorithm for the case in question. They specify the processor by exhibiting a 
function named local-step that is the state transition function, i.e., the function that, on each clock tick, 
produces the next state of the processor. In this paper we implement that processor in the formalized 
hardware description language (HDL) of Brock and Hunt and we exhibit a theorem, which has been proved 
by NQTHM, that states that our hardware implements local-step. Readers are urged to see [1] for 
additional background material. 

The processor reads sense data and inputs from its peers, exchanges this data in a certain fixed pattern 
among the peers, and then votes on certain combinations of the exchanged data. The result of the vote is an 
“interactive consistency vector” (“icv”) which contains four data objects in 1:1 correspondence with the 
four processors. The icv in a processor indicates that processor's “opinion” of the final value of the sense 
data in each of the four. Provided at most one processor is faulty, all nonfaulty processors hold identical 
opinions about all the processors, including any faulty processor. This fact is proved informally but 
precisely in [5]; it is stated formally and proved mechanically in [1]. In actual applications, the sense data 
and all of the exchanged data are in fact bit vectors of some fixed length, though that restriction is 
unnecessary in the abstract view of the processor and in its proof. 

Bevier and Young formalize the processor by formalizing the notion of its “state” and its “state 
transition” function, the function which determines the next state given the sense data, the input from the 
peers, and the current state. To model the network in which the four processors are connected, Bevier and 
Young define a function called global-step which manages four independent procersor states and 
transfers the outputs of each state to the appropriate inputs of the next state transition. This model of the 
network implicitly assumes that all four processors execute in lockstep synchrony. If l ocal-step is 
taken as a low-level hardware design, in which one state transition by local-step describes one tick of 
the microprocessor’s clock, then this assumption is naturally implemented by having the four processors 
controlled by a common clock. If local-step is taken more abstractly, in which one step by 
local-step might require many microprocessor cycles, then this assumption might be implemented via 
some rough clock synchronization algorithm and time abstraction. We take the view that local-step is 
a low-level specification and we designed our microprocessor to implement it directly. This is unrealistic 
for two reasons. First, it requires the four processors to share a common clock, which introduces a potential 
single-point failure mode. Second, it requires parallel io so that all the bits output by one processor on one 
clock tick are available as input to the appropriate peer processor on its next cycle. But because we have so 
many inputs and outputs, parallel io makes excessive demands for pins. We return to these points after 
presenting our design. 

The state of the abstract processor, local-step, is a 5-tuple constructed by state from 

• a 3x3 matrix of sense data read and obtained from peers; 

• an output buffer obuf of length 3, each component of which is physically connected to a 
fixed peer processor in such a way that the contents of that component on each cycle appears 
as a certain input to the peer on its next cycle; 

• the interactive consistency vector icv containing data objects (or a token denoting "no 
majority") representing the finally agreed upon values of the sense data in each of the four 
peers; 

• a light which represents the final action taken by the processors upon reaching agreement; 
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and 

• a counter, clock, which records the current "time” modulo 8 and is used to sequence the 
device. 

Bevier and Young define the notion of a "good state” with good-statep which formalizes the 
description above. See Appendix A. 

The definition of local -step is 

Definition . 

(locsl-stsp input statm) 

(lot ( (itnii (nth 0 input)) 

(pO (nth 1 input)) 

(pi (nth 2 input) ) 

(p2 (nth 3 input) ) 

(clock (clock stats))) 

(cam (remainder clock 8) 

(0 (state (matrix state) 

(make-list 3 sense) 

(put 3 sense (icv state)) 

(light state) 

(remainder (plus 1 (clock state) ) 8) ) ) 

(1 (atate (put 0 (liat pO pi p2) (matrix state)) 

(list pi pO pO) 

(icv state) 

(light state) 

(remainder (plus 1 (clock state) ) 8))) 

(2 (state (put 1 (list pO pi p2) (matrix state)) 

(liat (nth 2 (nth 0 (matrix state))) 

(nth 2 (nth 0 (matrix atate))) 

(nth 1 (nth 0 (matrix state)))) 

(icv state) 

(light atate) 

(remainder (plus 1 (clock state)) 8))) 

(3 (state (put 2 (list pO pi p2) (matrix state)) 

(obuf state) 

(icv state) 

(light state) 

(remainder (plus 1 (clock state)) 8))) 

(4 (state (matrix state) 

(obuf state) 

(coopute-icv (matrix state) (icv state) ) 

(light state) 

(remainder (plus 1 (clock state) ) 8) ) ) 

(5 (state (matrix state) 

(obuf state) 

(icv state) 

(filter (icv atate)) 

(remainder (plus 1 (clock state)) 8))) 

(otherwise 

(state (matrix state) 

(obuf state) 

(icv state) 

(light state) 

(remainder (plus 1 (clock state) ) 8) ) ) ) ) . 

The case and lat abbreviations (supported by some local patches to NQTHM) should be self- 
explanatory. The definition of local-step without these abbreviations may be found in Appendix A, 
along with the definitions of the subfunctions. Roughly speaking, the function above produces a new state 
as a function of the current state and the input. On each application, the clock is incremented by one 
(modulo 8). When the clock is between 0 and 5, other components of the state are modified. The last two 
cycles (6 and 7) are no-ops. 
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Our job is to construct a Formal HDL description of a module that implements this function and to prove 
that we did so. 

The Formal HDL we use is the descendant of that described by Brock and Hunt in [3], (At the time of this 
writing, the new Formal HDL has not yet been documented though we explain it briefly here.) The 
language is connected to the hardware design tools of LSI Logic, Inc., v ia a Lisp progiair* tliat translates 
Formal HDL descriptions into LSI Logic's Netlist Description Language (NDL). NDL is a conventional 
hardware description language similar to Verilog™ [7]. Commercially available LSI Logic tools permit 
one to analyze NDL descriptions to extract schematics, do layout, etc. 

In this document we exhibit our implementation and the theorem that we claim establishes its correctness. 
We sketch the Formal HDL to make our description somewhat self-contained, but we do not include the 
definition of the HDL, nor do we even discuss (much less present the NQTHM events leading to) the proof 
of correctness. However, the file of events, leading from NQTHM’s ground-rero state through the 
definition of the Brock-Hunt hardware interpreter, dual -aval, and thence onward to our implementation 
of local -3 tap and its correctness, is available upon request. The file may be processed by the released 
NQTHM, but requires the loading of Bishop Brock's “fast clausifier” patch, available from CLI. 


2 . Mapping from Abstract States to Concrete States 

The function we wish to implement, local -step, uses such abstract objects as the 5-tuple states, 
integers, the arbitrary sense data objects, etc. In order to implement it in digital hardware we must both 
restrict it to certain lands of sense data (e.g., bit vectors) and define a mapping from the abstract state space 
to a concrete state space. 

The hardware description language we use imposes on us a formal definition of concrete states as 
cona-trees of Boolean vectors. The shape of the tree depends on the hierarchical decomposition of the 
hardware description. Thus, our description of the concrete state space foreshadows our final 
implementation. Nevertheless, we describe the two state spaces (the restricted abstract one and the 
concrete one) and the maps between them before exhibiting our implementation. 

2.1 The Restricted Abstract State Space 

Brock and Hunt define a bit vector to be recognized by bvp, 

Definition . 

(bvp x) 

(if (nlistp x) 

(equal x 'nil) 

(and (boolp (car x) ) (bvp (cdr x) } ) ) . 

We introduce the idea of a bit vector of width w. 

Definition . 

(bvpn bv w) 

(and (bvp bv) 

(equal (length bv) w) ) , 

and the idea of a proper list of such bit vectors. 

Definition . 
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(all-bvpn 1st w) 

(if (nlistp 1st) 

(eq:*i 1st nil) 

(and (bvpn (car 1st) w) 

(all-bvpn (cdr 1st) w) ) ) 

In our restricted abstract states, sense data (and thus the exchanged and voted data) will always be bit 
vectors of width w. 

The icv of the abstract state will be restricted to being a list of length 4, the last element of which is a bit 
vector of width w and the other three of which are either bit vectors of width w or else the object 
(maj -token) indicating that no majority was found. 

Definition . 

(icvp 1st w) 

(and (equal (length 1st) 4) 

(or (bvpn (car 1st) w) 

(equal (car 1st) (ma j-token) ) ) 

(or (bvpn (cadr 1st) w) 

(equal (cadr 1st) (maj -token) ) ) 

(or (bvpn (caddr 1st) w) 

(equal (caddr 1st) (maj -token) ) ) 

(bvpn (cadddr 1st) w) 

(equal (cddddr 1st) nil) ) 


Similarly, we require that the matrix and the output buffer of the restricted abstract state contain fixed 
width bit vectors. We wrap all these restrictions up into a single predicate, 

Definition . 

(data-path-assumptionp state w) 

(and (properp (matrix state) ) 

(all-bvpn (nth 0 (matrix state) ) w) 

(all-bvpn (nth 1 (matrix state) ) w) 

(all-bvpn (nth 2 (matrix state) ) w) 

(all-bvpn (obuf state) w) 

(icvp (icv state) w) ) . 

The abstract state contains the light which is set by the undefined function filter once the icv is 
computed. We cannot implement either the light or the filter in hardware since they are unspecified. 
Therefore, the map up from concrete states to abstract ones must somehow recover from the concrete state 
an icv upon which filter produces the required light. Thus, if we are originally presented with an 
abstract state whose light is not the value of filter on some icv it will be impossible to map the state 
down inveitibly. We therefore impose on the abstract state space the additional restriction that the light 
of an abstract state be obtained by applying filter to some icvp-object. We avoid the implicit 
existential quantification by passing the alleged object in as a “witness.” States for which there exists 
such a witness are said to be “well-lit.” 

Definition . 

(well-litp state act-reg w) 

(and (icvp act-reg w) 

(equal (light state) (filter act-reg))) 
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Our restricted abstract state space is defined by 
Definition . 

(bevier-young-atatep state act-reg w) 

(and (good-atatep state) 

(data-path-assuxnptionp state w) 

(we^i-litp state act-reg w) ) , 

which recognizes well-lit good states that satisfy the data path width assumption. 


12 The Concrete State Space 


The shape of a concrete state is determinal by the hierarchical decomposition of our hardware description 
and the conventions of the Formal HDL language. A concrete state will be a list of length nine with the 
following components, arrayed in the order shown: 


component 

cnt 

matrixO 
mat r ixl 
mat r 1x2 
data-out 
icv-rag 
act -rag 

I cv-ma j -axi a t *p- rag 
act -maj-axi at ap- rag 


structure 
(cO cl c2) 
(mOO mOl m02) 
(mlO mil ml 2) 
(m20 m21 m2 2) 
<o0 ol o2) 


types 
three bits 

three w-bit vectors 
three w-bit vectors 
three w-bit vectors 
three w-bit vectors 
four w-bit vectors 
four w-bit vectors 
three bits 
three bits 


(icvO icvl lev 2 icv3) 
(aO al a2 a3) 

(bO bl b2) 

(dO dl d2) 


For example, (cnt state) is defined to be (nth 0 state) and (act-ma j-exiatap-reg 
atate) is defined to be (nth 8 atate). 


The recognizer for well- formed concrete states is: 

Definition . 

(hunt-brock-atatep x w) 


(and (properp x) 

(equal (length x) 9) 

(bvpn (cnt x) 3) 

(equal (length (matrixO x) ) 3) 

(equal (length (matrixl x) ) 3) 

(equal (length (matrix2 x) ) 3) 

(equal (length (data-out x) ) 3) 
(equal (length (iev-reg x) ) 4) 

(equal (length (act-reg x) ) 4} 

(all -bvpn (matrixO x) w) 

(all-bvpn (matrixl x) w) 

(all-bvpn (matrix2 x) w) 

(all-bvpn (data-out x) w) 
(all-bvpn (iev-reg x) w) 

(all-bvpn (act-reg x) w) 

(bvpn (iev-ma j-existap-reg x) 3) 
(bvpn (act-ma j-exiatap-reg x) 3)) 


I 
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23 The Map Down 

We map the abstract icv onto the concrete icv by replacing (ma j-token) , when it occurs, by the bit 
vector that is everywhere f . This is ambiguous, since that bit vector may be legitimate sense data. We 
therefore maintain a 3-bit register, maj-existsp-reg, which is in 1:1 correspondence with the first 
three words of the concrete icv and in which an f indicates that the corresponding icv word denotes 
(ma j-token) . 

Definition . 

(icv-down icv w) 

(list (if (equal (car icv) (maj-token)) 

(nat-to-v 0 w) 

(car icv) ) 

(if (equal (cadr icv) (ma j-token) ) 

(nat-to-v 0 w) 

(cadr icv) ) 

(if (equal (caddr icv) (ma j-token)) 

(nat-to-v 0 w) 

(caddr icv) ) 

(cadddr icv) ) 


Here is how we set ma j-existsp-reg from the abstract icv: 

Definition . 

(maj-existsp-reg icv) 

(list (not (equal (car icv) (ma j-token) ) ) 

(not (equal (cadr icv) (ma j-token) ) ) 

(not (equal (caddr icv) (maj -token) )) ) 

To map an abstract state down (invertibly) we must know the witness for the light of the abstract state. 

This witness, which is another icv, we store in the act-reg and the act -maj-existsp-reg 

(affording the (maj -token) s in the witness the same treatment as in the icv). Thus, we map an abstract 

state down (with respect to a given witness act-reg and data width w) with 

Definition . 

(down state act-reg w) 

(list (nat-to-v (clock state) 3) 

(nth 0 (matrix state) ) 

(nth 1 (matrix state)) 

(nth 2 (matrix state) ) 

(obuf state) 

(icv-down (icv state) w) 

(icv-down act-reg w) 

(maj-existsp-reg (icv state) ) 

(maj-existsp-reg act-reg)). 


2.4 The Map Up 

We invert the icv-down map with 
Definition . 

(icv -up icv icv-ma j-existsp-reg) 

(list (if (car icv-ma j-existsp-reg) (car icv) (ma j-token) ) 
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(if (c adr icv-maj -exist sp-reg) (cadr icv) (maj-token)) 

(if (caddr icv-maj -exist sp-reg) (caddr icv) (maj-token)) 

(cadddr icv)), 

which is also used to recover the light witness. 

We then invert the down map with 

Definition . 

(up 1st) 

(state (list (matrixO 1st) (matrixl 1st) (matrix2 1st) ) 

(data-out 1st) 

(icv-up (icv-reg 1st) 

(icv-ma j-existsp-reg 1st)) 

(filter (icv-up (act-reg 1st) 

(act -ma j-existsp-reg 1st))) 

(v-to-nat (cnt 1st) ) ) 

Observe that after recovering the witness from act-reg and act -ma j-existsp-reg we apply 

filter to obtain the light. 


3. The Specification 

In the most literal sense, our goal is to exhibit a netlist that implements the Bevier-Young LOCAL-STEP 
for some fixed data path width, w, namely 8. We exhibit such a nedist in Appendix C, where it is displayed 
in the syntax of LSI Logic’s NDL. Let netlist be the formal analogue of that nedist, let module be the 
formal analogue of the top-level module name, LSTEP_8, and let w be the data width 8. Then the 
following theorem holds: 

Theorem . Main 

(implies (and (bevier-young-statep state act-reg w) 

(bvpn sense w) 

(bvpn pO w) 

(bvpn pi w) 

(bvpn p2 w) 

(equal te f) 

(equal reset- t) ) 

(equal (local-step (list sense pO pi p2) state) 

(up 

(dual-eval 2 module 

(append (list elk te ti reset-) 

(append sense 

(append pO 

(append pi p2) ) ) ) 

(down state act-reg w) 
netlist ) ) ) ) 


This theorem says that if 

• state is a state in our restricted abstract state space (whose light is witnessed by 
act-reg and whose data path width is w), and 

• sense, pO, pi, p2 are bit vectors of width w f and 

• the “test enable” line, te, to our module is low and the “reset when low” line, reset-, is 
high. 


then 
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• the Bevier- Young local -step applied to the given sense and input data in the given 
abstract state 

is equal to the result of 

• (napping the abstract state down to a concrete state (using the supplied witness), 

• stepping the Brock-Hunt hardware model forward one step on that concrete state with our 
given inputs, module , and netlist, and 

• mapping the resulting concrete state back up. 

Technically speaking, we do not actually cause NQTHM to prove this theorem. We actually define both a 
netlist generator and a netlist recognizer, both of which take the data width, w>0, as a parameter. The 
generator produces a list constant that is the formal HDL description of a netlist that implements 
local -step for the given data width. The recognizer returns t or f according to whether a given netlist 
is some extension of the one we generate for*. We then lead NQTHM to the proof of the theorem that if 
the recognizer accepts a netlist defining module for width w>0 (where netlist, module and w are 
now universally quantified variables) then the interpretation of the module under the netlist computes 
local -step in the sense illustrated above. We do not prove that our generator always constructs a 
netlist satisfying the recognizer. Rather, we merely execute the generator on any chosen w, obtain a 
concrete netlist , and then execute the recognizer on that netlist to observe that the generator worked for that 
particular w. This is faster than proving that the generator always satisfies the recognizer, since one usually 
only generates a small number of instances of the design. 


4. The Implementation 

Our implementation is decomposed into modules. We exhibit the module definition generators in 
Appendix B. In this section we explain a few of the modules simply to illustrate the HDL and our 
implementation. 

4,1 Incrmt3 

The following NQTHM function defines the implementation of the INCRMT3 module. The module takes 
three bits in, i0...i2, and produces three bits, o0...o2. If the two bit vectors are thought of as integers in 
binary notation, then the specification of this module is that the output is the successor of the input, modulo 
8. We state this specification formally later. The implementation defines the output, in terms of the input, 
with combinational logic: oO is the logical negation of 10; ol is the exclusive-or of iO and il; and o2 is 
the exclusive-or the intermediate signal aO and i2, where sO is the conjunction of iO and il. 

Definition . 

(incxmt3*) 

' (incnnt3 (10 il i2) (oO ol o2) 

( (gO (oO) b-not (iO)) 

(gl (ol) b-xor (iO il)) 

(g2 (aO) b-and (iO il) ) 

(g3 (o2) b-xor (aO i2))) 

nil) 


The module definition is a list of five parts. The first part, incrmt3, is the name of the module. The 
second part, (iO il i2) , is the list of input signals. The third part, (oO ol o2 ), is the list of output 
signals. The fourth part is a list of “occurrences,” each of which is a list of the form (occ-nama 
output mod-name input) meaning that the signals listed in the output list are those produced by 


9 


the module mod-name with input input in the current state. The occurrence names, occ-name, e.g., 
gO, gl, etc., are irrelevant here. The fifth part of a module definition is the list of state-holding 
occurrences. In the module above there are none so the list is nil. Note that the Submodules” of 
incrmt3 (the modules used in its definition) are b-not, b-xor, and b-and. These are ~**i primitive but 
in general they may be the name of other defined modules. 

Incrmt3* can be thought of as a parameterized module generator that happens to have no parameters 
(and thus is a constant). Many of our module generators take arguments that indicate the size of the data, 
say, and use list processing functions to construct a suitable module definition. All of our module 
generators have names that end in *. 

In addition to its module definition generator, each module is associated with two other functions, a netlist 
generator and a netlist recognizer. A netlist is just a list of module definitions. The netlist generator for a 
module produces a list containing the definition of the module and all of its submodules. The netlist 
generator for the incrmt3 module is shown below. 

Definition . 

(incrmt3$netlist) 

(cons (incrmt3*) 

(union (b-not $netlist) 

(union (b-and$netlist) 

(b-xor$netliat) ) ) ) 

All of our netlist generators have names that end in Snetlist. 

The netlist recognizer for incrmt3 recognizes when a given netlist contains the definition of incrmt3 
and all of its submodules. 

Definition. 

(incnxxt3& netlist) 

(and (equal (lookup-module 'incrmt3 netlist) (incnot3*)) 

(and (b-not* (delete-module 'incrmt3 netlist)) 

(and (b-and* (delete -module 'incrmt3 netlist)) 

(b-xor* (delete -module ' incrmt3 netlist))))) 

All of our netlist recognizers have names that end in *. Because the netlist generators and recognizers can 
be deduced from the module definitions, we henceforth discuss only the module definition generators. 

To specify and prove the correctness of modules we must have a way of formally deriving their outputs and 
state changes from their inputs and their definitions. Bishop and Hunt define the NQTHM function 
dual -aval which can be thought of as an interpreter for their HDL. Dual -aval’s first argument is a 
flag that determines whether the function returns the signals output by the module or the new state created 
by the module. The signal values are returned if the flag is 0 and the state value is returned if the flag is 2. 
Other values of the flag have other meanings. 

Using dual -aval we can state the correctness of incrmt3. 

Theorem . 

(implies (and (incrmt3* netlist) 

(bvpn i 3) ) 

(equal (dual-aval 0 ' incrmt3 i state netlist) 

(nat-to-v (addl (v-to-nat i) ) 3) ) ) 

This theorem says that if netlist contains the definition of incrmt3 and its submodules and i is a bit 
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vector of length 3, then the output produced by evaluating the incxmt3 module with input i, in any state, 
is obtained by converting i to a natural number, incrementing it by one, and converting the result into a 
3-bit vector. This formula has been proved by NQTHM. 

Observe that if we proceeded to use incrmt3 as a submodule in some other module, and then tried to 
prove that module correct, the netlist recognizer for that superior module would tnsuix that the nedist 
recognizer for incrmt3 were satisfied. Hence, if during the symbolic evaluation of that superior module 
the question arose “what is the value of the iricrmt3 module on x0...x2?” the answer is provided by the 
correctness theorem for incrmt3 above. Thus, this methodology lets us stack modules and their 
correctness theorems to build complex structures. 

We can run a Common Lisp function on the definition of incnst3 to translate it into NDL. The result is 

MODULE INCRMT3; 

INPUTS 10,11,12; 

OUTPUTS 00,01,02; 

LEVEL FUNCTION; 

DEFINE 

GO(OO) * IVA(IO); 

G1 (01) * EO (10, II) ; 

G2 (SO) * AN2 (10, II) ; 

G3 (02) * EO(S0, 12) ; 

END MODULE; 

Note that the “deep’* structure of the definition is identical. The primitive module names (for * invert, 
“exclusive or” and “and”) are those supported by LSI Logic’s design tools 

We can process this NDL description of the module with LSI Logic’s “schematic liberator” and obtain the 
mechanically drawn schematic diagram included in Appendix D. 

42 Counter3 

The following module, counter3-temp, merely conjoins the resat- signal with each of its other three 
inputs. The three output signals of counter3-temp are thus £ if raset- is £ and are otherwise just the 
three input signals. 

Definition . 

( count® r3 -tamp* ) 

' (counter3-tanp (reset- iO il i2) 

(dO dl d2) 

( (gO (dO) b-and (reset- iO)) 

(gl (dl) b-and (reset- il) ) 

(g2 (d2) b-and (reset- i2))) 

nil) 


We use incrmt3, counter3-temp and our first state-holding device to construct countar3. 

Definition. 

(counter3*) 

(list 'counter3 

' (elk te ti reset-) 

(indices ' q 0 3) 

(list (list ' reg 

(indices 'q 0 3) 
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(index 7 rag 3) 

(cons 7 elk 

(cons ' te _ — ... 

(cons 'ti (indices 7 d 0 3))))) 

(list 7 inc 

(indices 'i 0 3) 

7 inermt 3 

(indices 7 q 0 3) ) 

(list 7 g0 

(indices 7 d 0 3) 

7 counter3-texnp 

(cons 'reset- (indices 7 i 0 3)))) 

'reg) 


The expression (index name i) constructs an indexed name, e.g., (index 7 reg 3) may be 
thought of as 7 REG3. The expression (indices name 0 k) constructs the list of k consecutive 
indexed names starting from index 0. 


Thus, the module above takes four input signals, elk, te, ti and reset-, and produces three output 
signals, q0...q2, The first three input signals are used in LSI Logic’s low level register module for the 
clock, the test enable line, and the test input line. The two test signals allow us to chain registers together 
so as to load and read the state of a module serially. In our designs we use the te and ti inputs to build 
such “scan chains.* 1 But we do not discuss them here and we have not proved that our scan chains work; 
all our theorems contain the hypothesis that the te signal is f , which means that our theorems address 
themselves only to the behavior of our modules in non-test mode. 


The first occurrence above, the one named reg, says that the three output signals, q0...q2, are obtained 
from the module reg3 by giving it the six inputs elk, te, ti, d0...d2 in the current state. The reg3 
module is a primitive module for a state-holding device of width 3. Its value is just the contents of the 
current state (modulo the te and ti inputs which we do not further discuss). But the new state delivered 
by reg3 is the list of three signals, d0...d2. Thus, this first occurrence sets the module output to the three 
signals in the current state and makes the new state be d0...d2. But we have not defined these signals yet. 

The second occurrence above, the one named inc, should be read “Let i0...i2 be obtained by 
incrementing q0...q2 with the incrmt3 module. Thus, the i0...i2 represent the number one greater 
(modulo 8) than the value returned by counters. 


Finally, the third occurrence above, named g0, defines d0...d2 to be the result of applying 
counter 3 -temp to the reset- signal and i0...i2. 

Note that the fifth part of the module definition above is 7 reg. This is the single occurrence of a 
state-holding device in the module and it describes the state returned by this module. In this case, the state 
is just the 3-bit state of the reg3 module. In general the fifth part of a module definition is either a single 
occurrence name or a (possibly empty) list of occurrence names. 


Functionally, the counter3 module can be thought of as operating on four signal arguments and a 3-bit 
state and producing three signal values and a 3-bit state. The signals returned are just those in the state in 
which counter3 is evaluated. The state returned is obtained by incrementing its current state by one 
(modulo 8) and zeroing it if reset- is £. This specification of counter3 is captured in the two 
theorems shown below. 


"nil ! in hi 
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Theorem . 

(implies (and (counter3S netlist) 

(equal te f) 

(bvp cnt) 

(equal (length cnt) 3) ) 

(equal (dual-eval 0 ' counter3 

(list elk te ti reset-) 
cnt netlist) 

cnt) ) 

Theorem . 

(implies (and (counter3& netlist) 

(equal te £) 

(boolp reset-) 

(bvp cnt) 

(equal (length cnt) 3)) 

(equal (dual-eval 2 ' counter3 

(list elk te ti reset-) 
cnt netlist) 

(if reset- 

(nat-to-v (addl (v-to-nat cnt) ) 3) 

(list f f f ) ) ) ) 

The first specifies the signals returned by counter3 and the second specifies the state returned. 

The NDL for the two modules is 

MODULE COUNTER3 -TEMP ; 

INPUTS RESET-,10,11,12; 

OUTPUTS D0,D1,D2; 

LEVEL FUNCTION; 

DEFINE 

GO (DO) » AN2 (RESET-, 10) ; 

G1(D1) ■ AN2 (BESET-, II) ; 

G2(D2) » AN2 (RESET-, 12) ; 

END MODULE; 

MODULE COUNT ER3 ; 

INPUTS CLK, TE, TI, RESET-; 

OUTPUTS Q.0,Q.1,Q.2; 

LEVEL FUNCTION; 

DEFINE 

REG(Q.0,Q.1,Q.2) » REG_3 (CLK, TE, TI,D.0,D.1,D.2) ; 

INC(I.0,I.1,I.2) ■ INCBMT3(Q.0^Q.1,Q.2); 

GO (D. 0,D. 1,D. 2) » COUNTBrS-TEMP (BESET-, 1. 0,1.1, 1.2) ; 

END MODULE; 

4J Other Submodules 

Our implementation of local-step uses six modules in addition to the three explained above. We 
merely describe them here. The corresponding module definitions are shown in Appendix B. 

Spiit-3-to-6 takes the three bits returned by the counter3 module, which correspond to 
local-stap’s clock, and returns six signals, s0...s5, with the property that si is t iff the three input bits 
represent the number i in binary. This module is a demultiplexor. When the clock is 6 or 7, all the output 
signals are f . 
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Ma jority3 is a module parameterized by the data width n. It takes three n-bit vectors in. It delivers a 
single bit, called ma j -axistsp, and an n-bit vector If there is a majority element among the three input 
vectors, the module sets maj-existsp to t and returns the majority element. Otherwise, it sets 
ma j-existp to f and returns an n-bit vector of £. 

Tv-i£3 implements a nest of selectors (conditionals) that occurs several times in our implementation. 
The module is parameterized by n. It takes the inputs cO, vO, cl, vl, c2, v2 and v3, where the c i are 
single signals and the vj are bit vectors of width n. Its output is the n-bit vector specified by (if cO vO 
(if cl vl (if c2 v2 v3) ) ) . 

Regs3 is a parameterized state-holding module that consists of three n-bit registers. It takes as input three 
n-bit vectors (plus the usual elk, te, and ti used in all register modules), returns as its value the vectors 
in the three registers, and stores its input vectors as the new state of the registers. We use regs3 to build a 
row of local-step’s matrix. 

Regs4 is like regs3 except operates on four n-bit vectors. We use regs4 to represent the iev-reg 
and the act-reg. 


v-buf-pvr is a parameterized n-bit buffer module, a device that passes its n bits of input through but has 
more drive than a normal buffer. We use it in order to make our implementation acceptable to a certain 
formally defined predicate that checks the loads and drives on all our signals. 

4.4 Lstep 

We now describe our implementation of local-step. The module is called lstep. It is parameterized 
by n, the sense data width. See Appendix B for the definition of the module. 

Lstep takes the input signals elk, te, ti, reset- and four n-bit input vectors, sense, pO, pi and 
p2. It is a state-holding module whose state s is satisfies (hunt-brock-statep s n) . It returns 
seven n-bit vectors, oO, ol, o2, aO, al, a2 and a3, and one 3-bit vector, act -ma} -exist sp. The 
three o i outputs represent local-step’s outputs to the three peer processors. The four a i outputs 
represent the “actuator iev” — the four vectors determining the light or final action taken by the 
processor. The act -maj-existsp output indicates which of the first three a i actually denote 
(maj -token) . 

The occurrences in the module are roughly described as follows. The three matrix rows are defined as 
instances of the regs3 module. Matrix element MO 2 is used so often we have to buffer it with 
v-buf-pwr. We define the data-out register as another instance of regs3, and take our three n-bit 
o i vectors from them. We define iev-rag as an instance of regs4. We define act-reg as an instance 
of regs4 We define iev-ma j-existsp-reg and the act -maj -exist sp-reg each as instances of 
reg3. 

We use counters to obtain and increment the clock and then use split-3-to-6 to demultiplex it into 
at most one “hot” signal. The six outputs are fanned out into the logic below so as to sequence the steps 
correctly. Two of the six, namely si and s2, are used so often that we have to buffer them in order to 
drive all the dependent gates. 


In the occurrences named gl through g6-m22v, we use tv-if 3 and the primitive tv-i£ to shuffle data 
between our inputs, data-out and the matrix rows as determined by which of the multiplexed clock 
signals is t. 
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In the occurrences named g7, g8, and g9 we vote on the appropriate combinations of matrix elements, 
using ma jority3 to obtain both the maj -axis tap bit and the answer for each of the three votes. This 
is done on every cycle but the results are ignored except when the clock signal s4 is t, when we put the 
results into icv-reg and icv-maj-existsp-reg (in occurrences gll-j-cvOv through 
gll-icv2v and gl3). At occurrence gll-icv3v we put the sense input into icv3 when the clock 
signal sO is t. 

In occurrences gl2-a0v through gl2-a3v we load act-reg from icv-reg if the clock signal s5 is 
t. Atgl2-act-maj-exists we load act-maj-existsp-reg from icv-maj-existsp-reg if 
the clock signal s5 is t. 

Because lstep is parameterized we cannot exhibit an NDL display of it But we can exhibit the NDL for 
an instance. In Appendix C we show some of the NDL generated for the 8-bit wide version of lstep. In 
Appendix D we include the top-level schematic for that instance of lstep. 


5. The Theorem Proved by NQTHM 

We have proved the following theorem about lstep. 

Theorem . 

(Implies 

(and (not (zerop w) ) 

(bevier-young-statep state act-reg w) 

(lstep* net list w) 

(bvpn sense w) 

(bvpn pO w) 

(bvpn pi w) 

(bvpn p2 w) 

(equal te t) 

(equal reset- t) ) 

(equal (local-step (list sense pO pi p2) 

state) 

(up (dual-eval '2 (index 'lstep w) 

(cons elk 
(cons te 
(cons ti 
(cons reset - 

(append sense 

(append pO 

(append pi p2) )))))) 

(down state act-reg w) 
netlist) ) ) ) 

Observe the similarity between this theorem, proved by NQTHM, and the specification of the hardware, 
Main. In particular, if we let w, above, be 8 and netlist, above, be (lstep$netlist 8) , and we 
observe that (not (zerop 8)) and (lstep* (lstep$netlist 8) 8), then the indicated 

instance of the theorem above is just Main. Put another way, if we generate a netlist of the desired width 
with istep$netlist and it passes the lstep* test (which can be determined by computation), then we 
know the netlist implements local -step. 

Part of the NDL translation of (lstep$netlist 8) is shown in Appendix NDL. 

It should be noted that the netlist produced by (lstep$netlist 8) passes the NQTHM predicate that 
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checks adherence to various design rules, including those constraining the loads and drives in the net 


6. Comments on our Design 

After obtaining NDL for our verified design, we used LSI Logic, Inc. tools to analyze the design. One such 
tool summarizes how our design uses the LSI gate array on which it could be built, the LMA9141C. 

ft*********************************************************************** 


* * 

* LDS-III DESIGN VERIFIER NETWORK SUMMARY * 

* * 

* PROJECT ID: L1A6477 LDS ACCOUNT NAME: MDEACCT1 * 

* ARRAY NAME: LSTEP_8 ARRAY FAMILY: LMA9K * 

* ARRAY TYPE: LHA9141C * 

* * 

* CURRENT DATE: 09/04/91 CURRENT TIME; 16:26:10 * 

* LMA9K LIBRARY DATE: 12/13/90 LMA9K LIBRARY REVISION: 10.12.0* 

* MEM10K LIBRARY DATE: 08/09/90 MKM10K LIBRARY REVISION: 10.09 * 

* * 

***************************************** **************** *************** 
* * 

* NETWORK STATISTICS AFTER CELL DELETIONS * 

* * 

* * 

* NUMBER OF CELLS DELETED: . 0 * 

* NUMBER OF UNCONNECTED CELL OUTPUTS: 244 * 

* * 

* NUMBER OF INPUT PINS (EXCLUDING BIDIRECTIONAL PINS) : ... 36 * 

* NUMBER OF OUTPUT PINS (EXCLUDING BIDIRECTIONAL PINS) : . . 59 * 

* NUMBER OF BIDIRECTIONAL PINS: 0 * 

* TOTAL NUMBER OF I/O SIGNAL PINS USED: 95 * 

* * 

* RANGE OF POWER PINS REQUIRED (VSS £ VDD) [mln-max] : 08-16 * 

* * 

* NUMBER OF PAD LOCATIONS USED FOR INPUT PINS: 0 * 

* NUMBER OF PAD LOCATIONS USED FOR OUTPUT PINS: 0 * 

* NUMBER OF PAD LOCATIONS USED FOR BIDIRECTIONAL PINS: ... 0 * 

* TOTAL NUMBER OF PAD LOCATIONS USED FOR ABOVE: 0 * 

* * 

* TOTAL NUMBER OF UNRESERVED PAD LOCATIONS AVAILABLE: 110 * 

* * 

* NUMBER OF I/O DEVICE LOCATIONS USED FOR BUFFERS : 0 * 

* TOTAL NUMBER OF I/O DEVICE LOCATIONS AVAILABLE: 114 * 


NUMBER OF CELLS USED: 

791 

NUMBER OF GATES USED: 

3438 

* 

NUMBER 07 CELL TYPES: 

12 

ARRAY GATS USAGE 

<%>: 

24.34 

* 

MAXIMUM PINS PER NET: 

169 

ARRAY AREA USAGE 

<%) : 

24.34 

* 

NETS WITH 10<PINS/NET020 : 

3 

NUMBER OF SIGNAL 

NETS: 

826 

• 

NETS WITH PINS/NET > 20: 

2 

AVERAGE PINS PER 

NET: 

3.442 

* 


* * 


Observe that our design has 3438 gates. The number of io pins is 95. This is excessively high. It is due to 
the fact that our design uses parallel io on 8-bit wide vectors. Recall that there are four 8-bit input vectors 
plus four single-bit signals, for a total of 36 input pins. The module has seven 8-bit output vectors plus 
three single-bit signals, for a total of 59 output pins. If one wished to exchange 32-bit wide sense data, the 
number of pins required would be 359! Our design is parameterized by the data size and our netlist 
generator produces correct designs for arbitrary data sizes. But such a summary is deceptive because the 
design is not practical for realistic data sizes. 

A more sensible design would use serial io, devoting one pin to each of the channels on which full vectors 
are currently exchanged. This would reduce the pin count to eighteen and allow arbitrarily sized data at the 
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cost of waiting for it to stream in. In [41, we verify that a biphase mark communications protocol allows 
reliable communication between two processors whose cycle times are within about 5% of each other. The 
reader of this document will recognize that it would be straightforward to implement the biphase mark 
specification in our Formal HDL and prove that we had done so. Proving that ar. HDL description 
implemented the send and recv of [4] would be an exercise very similar to proving that latep 
implements local-step— except it would be easier because there is no need to parameterize the 
implementation and the state mapping is much simpler. Indeed, the whole approach taken in [4] was 
motivated by our concern that the verification of the implementation of send and rocv be straig tforwar 
and independent of all extraneous considerations. The straightforward implementation of those two 
functions would allow data to be sent at the burst rate of 1.1M bps if we clocked the microprocessors at 
20MHz and had a suitable channel between them. 

Our lstep — even ignoring its excessive pin requirements — is not suitable for fault-tolerant applications 
because of the common clock assumption. Our processor implements local-step. Local-step was 
proved by Bevier and Young to provide fault-tolerance when it was connected in a network with three 
identical peers, aflof which step in concert More realistically, the four processors should each have an 
independent clock. An algorithm like that verified in [61 should be used to get the processors in 
approximate synchronization, so that they are all executing the same step of the algorithm during the same 
time interval. Our model of asynchronous communications [4] would permit us to prove that two such 
processors could communicate. 

As we envision it, the low level specification of a realistic Byzantine agreement processor will be a 
function, say async-local-step, which is like local-step but has a much finer temporal grain. 
Async -local -step will break each of the six steps of local-step into hundreds cycles and allow 
for serial communication, clock synchronization, and a certain amount of waiting to keep each major step 
sufficiently large to insure that all processors step more or less together. Under an appropriate state 
mapping, which would necessarily include some time abstraction, async-local-step could be shown 
to implement local-step. The Formal HDL design would use async-local-step, not 
local-step, as the specification. We offer this sketch of a realistic design effort merely to emphasize 
how far we are from having achieved it. 


Appendix A. The Formal Definition of LOCAL-STEP and GOOD-STATEP 


Definition. 

(length 1) 

(if (listp 1) 

(addl (length (cdr 1) ) ) 

0 ) 

Shell Definition. 

Add the state of five arguments 
with recognizer atatep and 

accessors Matrix, obuf, lev, light and clock. 

Definition . 

(make-1 i at length initial -value) 

(if (xerop length) 
nil 

(cona initial -value 

(make-list (aubl length) initial-value))) 


Definition, 
(nth n 1) 


(if (liatp 1) 
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(if (strop n) 

(car 1) 

(nth (subl n) (cdr 1))) 

0) 

Definition . 

(put n v 1) 

(if 

(if (strop n) " “ 

(cons v (cdr 1)) 

(cons (car 1) (put (subl n) v (cdr 1)))) 

1 ) 

Definition . 

(nth2 i j x) 

(nth j (nth i x) ) 

In the original Bevier-Young work, MAJORITY was introduced by constraint. However, the function was 
constrained to the point of being uniquely defined. We simply define it and its companion, 
MAJOR! TY-EXISTS. In our mechanical proof script we include the events that establish that our 
functions satisfy the constraints imposed on theirs. The uniqueness of their functions is not proved in our 
script, though we have (elsewhere) led NQTHM to that conclusion. 

Definition . 

( occur r tncs s 
x 1) 

(if (listp 1) 

(if (equal x (car 1}) 

(add! (occurrences x (cdr 1))) 

(occurrences x (cdr 1})) 

0 ) 

Definition. 

(majorltyl cands votes) 

(if (listp cands) 

(if (lessp (length votes) 

(times 2 (occurrences (car cands) votes))) 

(car cands) 

(majorltyl (cdr cands) votes)) 

0 ) 

Definition. 

(majority-existsl cands votes) 

z 

(if (listp cands) 

(or (lessp (length votes) (times 2 (occurrences (car cands) votes))) 

(majority-existsl (cdr cands) votes)) 
f) 

Shell Definition. 

Add the shell ma j -token 
with recognise; ma j -t okenp. 

Definition . 

(majority votes) 

(if (majority-existsl votes votes) 

(majorltyl votes votes) 

(maj-token) ) 

Definition. 

(majority-exlsts votes) 

3 

(ms jority-existsl votes votes) 

Definition. 
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(compute- iev matrix lev) 

(put 0 

(majority (list (nth2 0 0 matrix) 

(nth2 1 2 matrix) 

(nth2 2 1 matrix) ) ) 

(put X 

(majority (list (nth2 0 1 matrix) 

(nth2 1 0 matrix) 

(nth2 2 2 matrix))) 

(put 2 

(majority (list (nth2 0 2 matrix) 

(nth2 1 1 matrix) 

(nth2 2 0 matrix))) 

iev) ) ) 

The Bevier-Young function filter was introduced by constraint We do not need any properties of 
filter and thus introduce it by declaration (i.e., as an undefined, unconstrained function symbol). 

Undefined Function . 

(filter iev) 

Definition . 

(tablep n 1) 

(if (listp 1) 

(and (equal (length (car 1)) (fix n) ) 

(tablep n (edr 1))) 
t) 

Definition . 

(matrixp i j 1) 

(and (equal (length 1) (fix i)) 

(tablep j 1)) 

Definition . 

(good-statep x) 

(and (statep x) 

(matrixp 3 3 (matrix x) ) 

(equal (length (obuf x) ) 3) 

(equal (length (iev x) ) 4) 

(nuaberp (clock x) ) 

(lessp (clock x) 8) ) 

Definition. 

(local -step Input state) 

(if (equal (remainder (clock state) 8) 0) 

(state (matrix state) 

(make-list 3 (nth 0 input)) 

(put 3 (nth 0 input) (lev state)) 

(light state) 

(remainder (plus 1 (clock state)) 8)) 

(if (equal (remainder (clock state) 8) 1) 

(state (put 0 

(list (nth 1 Input) 

(nth 2 input) 

(nth 3 input) ) 

(matrix state) ) 

(list (nth 2 input) 

(nth 1 input) 

(nth 1 input) ) 

(iev state) 

(light state) 

(remainder (plus 1 (clock state)) 8)) 

(if (equal (remainder (clock state) 8) 2) 

(state (put 1 

(list (nth 1 input) 
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(nth 2 input) 

(nth 3 input)) 

(matrix state) ) 

(list (nth 2 (nth 0 (matrix stata) ) ) 

(nth 2 (nth 0 (matrix stata) ) ) 

(nth 1 (nth 0 (matrix stata) ) ) ) 

(icv stata) 

(light stata) 

^remainder (plus 1 (clock stata) ) 8) ) 

(if (equal {remainder (clock stata) 8) 3) 

(stata (put 2 

(list (nth 1 input) 

(nth 2 input) 

(nth 3 input) nil) 

(matrix stata) ) 

(obuf stata) 

(icv state) 

(light state) 

(remainder (plus 1 (clock state)) 8)) 

(if (equal (remainder (clock state) 8) 4) 

(state (matrix state) 

(obuf state) 

(computs-icv (matrix state) (icv state) ) 
(light state) 

(remainder (plus 1 (clock state) ) 8) ) 

(if (equal (remainder (clock state) 8) 5) 

(state (matrix state) 

(obuf state) 

(lev state) 

(filter (icv state)) 

(remainder (plus 1 (clock state)) 8)) 
(state (matrix state) 

(obuf state) 

(icv state) 

(light state) 

(remainder (plus 1 (clock state) ) 8) ) ) ) ) ) 



Appendix B. The Formal Design 

We exhibit the functions that generate each our modules. For each such generator, fn*, there is also a 
netlist generator /n$NETLIST and a netlist recognizer fni. The netlist generator returns a list of the 
generated module and each of its submodules. The netlist recognizer checks that the given netlist contains 
the generated module and each of the required submodules. 

Definition . 

(INCRMT3*) 

' (INCRMT3 (10 II 12) 

(00 OX 02) 

((CO (00) B-NOT (10)) 

(Cl (01) B-XOR (10 II)) 

(G2 (SO) B-AHD (10 II)) - 

(C3 (02) B-XOR (SO 12))) 

VXD 

Definition . — 

(CO0NTER3-TEMP*) 


(COUNTERS -TEMP (RESET- 10 II 12) 

(DO D1 D2) 

((CO (DO) B-AND (RESET- 10)) 

(Cl (Dl) B-AND (RESET- II)) 

(C2 (D2) B-AND (RESET- 12))) 

NIL) 


Definition . 


i 
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(COUNTERS*) 

(LIST ' C0UNTER3 

' (CLF TE TI RESET-) 

(INDICES 'Q 0 3) 

(LIST (LIST 'REG 

(INDICES 'Q 0 3) 

(INDEX 'REG 3) 

(CONS ' CLK 

(CONS 'TE 

(CONS 'TI (INDICES 'D 0 3))))) 

(LIST 'INC 

(INDICES '103) 

' INCRMT3 

(INDICES ' Q 0 3) ) 

(LIST 'GO 

(INDICES 'D 0 3) 

' COUNTKR3 - TEMP 

(CONS 'RESET- (INDICES 'I 0 3)))) 

' (REG) ) 

Definition, 

(SPLIT- 3 -TO- 6*) 

' (SPLIT- 3 -TO- 6 (CO Cl C2) 

(SO SI $2 S3 S4 S5) 


((CO 

(NCO) 

B-NOT 

(CO)) 

(Cl 

(NCI) 

B-NOT 

(Cl)) 

(G2 

(NC2) 

B-NOT 

(C2) ) 

(C3 

(SO) 

B-AND3 

(NCO NCI NC2) ) 

(C4 

(SI) 

B-AND3 

(CO NCI NC2) ) 

(G5 

(S2) 

B-AND3 

(NCO Cl NC2) ) 

(G6 

(S3) 

B-AND3 

(CO Cl NC2) ) 

(G7 

(S4) 

B-AND3 

(NCO NCI C2) ) 

(G8 

NIL) 

(S5) 

B-AND3 

(CO NCI C2) ) ) 


Definition . 

(HAJORITY3* N) 

(LIST (INDEX ' MAJORITY 3 N) 

(APPEND (INDICES 'X 0 N) 

(APPEND (INDICES 'YON) 

(INDICES 'Z 0 N))) 

(CONS ' MAJ-EXISTSP (INDICES 'AON)) 

(LIST (LIST 'GO ' (E0) 

(INDEX 'V -EQUAL N) 

(APPEND (INDICES 'X 0 N) 

(INDICES 'Y 0 N))) 

(LIST ' G1 '(El) 

(INDEX 'V-EQUAL N) 

(APPEND (INDICES 'X ON) 

(INDICES 'Z 0 N))) 

(LIST ' G2 ' (E2) 

(INDEX 'V-EQUAL N) 

(APPEND (INDICES 'YON) 

(INDICES 'Z 0 N))) 

(LIST ' G2A 

(INDICES 'ZERO 0 N) 

(INDEX 'V-XOR N) 

(APPEND (INDICES 'X 0 N) 

(INDICES 'X 0 N))) 

' (G3 (MAJ-EXISTSP) B-OR3 (SO El B2) ) 

(LIST ' G4 (INDICES 'CON) 

(INDEX ' TV- IT 

(TREE-NUMBER (MAO-TREE N) ) ) 
(CONS ' S2 

(APPEND (INDICES 'YON) 

(INDICES 'ZERO 0 N) ) ) ) 
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NIL) 


(LIST ' G5 (INDICES 'BON) 

(INDEX ' TV- IF 

(TREE -NUMBER (MAKE -TREE N) ) ) 
(CONS 'El 

(APPEND (INDICES 'X 0 N) 

(INDICES 'C 0 N) ) ) ) 

(LIST ' G6 (INDICES 'AON) 

(INDEX 'TV- IF 

(TREE-NUMBER (MARE -TREE N) ) ) 
(CONS 'BO 

(APPEND (INDICES 'X 0 N) 

(INDICES 'B 0 N) ) ) ) ) 


Definition . 

(TV-IF3* N) 


(LIST (INDEX ' TV-IF3 N) 

(CONS 'CO 

(APPEND (INDICES 'VO 0 N) 

(CONS 'Cl 

(APPEND (INDICES 'VI 0 N) 

(CONS ' C2 

(APPEND (INDICES 'V2 0 N) 

(INDICES ' V3 0 N))))))) 

(INDICES 'OUTPUT 0 N) 

(LIST (LIST 'CO (INDICES ' T1 0 N) 

(INDEX 'TV- IF 

(TREE-NUMBER (MAKE -TREE N) ) ) 

(CONS ' C2 - 

(APPEND (INDICES 'V2 0 N) 

(INDICES ' V3 0 N)))) 

(LIST ' G1 (INDICES ' T2 0 N) 

(INDEX 'TV- IF 

(TREE-NUMBER (MAKE-TREE N) ) ) 

(CONS 'Cl 

(APPEND (INDICES 'VI 0 N) 

(INDICES ' T1 0 N)))) 

(LIST ' 62 (INDICES 'OUTPUT 0 N) 

(INDEX ' TV- IF 

(TREE-NUMBER (MAKE-TREE N) ) ) 

(cons 'co _ . r 

(APPEND (INDICES 'VO 0 N) 

(INDICES ' T2 0 K> ) ) ) ) 


NIL) 


Definition . 

(REGS 3* N) 


(LIST (INDEX ' REGS 3 N) 

(CONS ' CLK 

(CONS ' TE 

(CONS 'TX 

(APPEND (INDICES ' RO 0 N) 

(APPEND (INDICES 'R1 0 N) 

(INDICES 'R2 0 N) ) ) ) )) 

(APPEND (INDICES 'QO 0 N) 

(APPEND (INDICES '01 0 N) 

(INDICES '02 0 N) ) ) 

(LIST (LIST 'REGO (INDICES '00 0 N) 

(INDEX 'REG N) 

(CONS 'CLK 

(CONS 'TE 

(CONS ' TI (INDICES 'RO 0 N) ) ) ) ) 
(LIST ' REG1 (INDICES 'Q1 ON) 

(INDEX 'REG N) 

(CONS 'CLK 

(CONS 'TE 

(CONS (INDEX '00 (SUB1 N) ) 


22 




(INDICES ' R1 0 N) ) ) ) ) 
(LIST 'REG2 (INDICES 'Q2 0 N) 

(INDEX ' REG N) 

(CONS 9 CLK 

(CONS ' TE 

(CONS (INDEX ' Q1 (SUB1 N) ) 

(INDICES ' R2 0 N)))))) 


' (RBGO REG1 RBG2) } 


Definition . 
(REGS4* N) 


(LIST (INDEX ' REGS 4 N) 

(CONS ' CLK 

(CONS ' TE 

(CONS ' TI 

(APPEND (INDICES 'RO ON) 

(APPEND (INDICES 'R1 0 N) 

{APPEND (INDICES 'R2 0 N) 

(INDICES ' R3 0 N) )))))) 

(APPEND (INDICES 'QO 0 N) 

(APPEND (INDICES ' Ql ON) 

(APPEND (INDICES ' Q2 0 N) 

(INDICES ' Q3 0 N) ) ) ) 

(LIST (LIST 'REGO (INDICES 'QO 0 N) 

(INDEX ' REG N) 

(CONS 'CLK 

(CONS 'TE 

(CONS 'TI (INDICES 'RO 0 N) ) ) ) ) 

(LIST ' REG1 (INDICES ' Q1 0 N) 

(INDEX 'REG N) 

(CONS 'CLK 

(CONS 'TE 

(CONS (INDEX 'QO (SUB1 N) ) 

(INDICES ' R1 0 N))))) 

(LIST ' REG2 (INDICES ' Q2 ON) 

(INDEX 'REG N) 

(CONS 'CLK 

(CONS 'TE 

(CONS (INDEX 'Q1 (3UB1 N) ) 

(INDICES ' R2 0 N))))) 

(LIST ' REG 3 (INDICES 'Q3 0 N) 

(INDEX 'REG N) 

(CONS 'CLK 

(CONS 'TE 

(CONS (INDEX ' Q2 (SUB1 N) ) 

(INDICES ' R3 0 N)))))) 

' (REGO REG1 REG 2 REG3) ) 

Definition. 

(V-BUF-FNR$BODY N N) 


(17 (IXROP N) 

NIL 

(CONS (LIST (INDEX 'G M) 

(LIST (INDEX 'T K) ) 

'B-B07-Pim ““ 

(LIST (INDEX 'A M) ) ) 
(V-BUF-PNR$BODY (ADD1 M) (SUB1 N) ) ) ) 


Definition . 

(V-BU7-PWR* N) 

(LIST (INDEX ' V-B07-PWR N) 
(INDICES 'AON) 
(INDICES 'YON) 
(V-BU7-PWR$B0DY 0 N) 
NIL) 


Definition. 


(LSTEP* N) 


(LIST 

(INDEX ' LSTEP N> 

(CONS ' CLK 

(CONS ' TE 

(CONS ' TI 

(CONS ' RESET - 

(APPEND (INDICES ' SENSE 0 N) 

(APPEND (INDICES 'PO 0 N) 

(APPEND (INDICES 'PI 0 N) 

(INDICES ' P2 0 H) )M)))) 

(APPEND •- - 

(INDICES ' OO ON) 

(APPEND (INDICES '01 0 H) 

(APPEND (INDICES '02 0 N) _ 

(APPEND (INDICES 7 ACT-HAJ-EXISTSP 0 3) 

(APPEND (INDICES 'AO ON) 

(APPEND (INDICES 'A1 0 N) 

(APPEND (INDICES f A2 0 N) 

(iNSie&r 'A3 o n)> ) ) ) rn 

(LIST 

' (CNT (CO Cl C2) 

C0UNTER3 

(CLK TE TI RESET-)) 

' (GO (SO S1WEAK S2WEAK S3 S4 S5) 

SPLIT-3-T0-S 
(CO Cl C2) ) 

'(GOA (SI) B-BU7-PWR (S1WEAX) ) 

'(GOB (S2) B-BUF-PWR (S2WEAK) ) 

(LIST ' MATRIXO 

(APPEND (INDICES 'MOO 0 N) 

(APPEND (INDICES ' M01 0 N) 

(INDICES 'M02WEAK 0 N) ) ) 

(INDEX ' REGS3 N) 

(CONS 'CLK 

(CONS 'TE 

(CONS ' C2 

(APPEND (INDICES 'KOOV 0 N) 

(APPEND (INDICES 'M01V 0 N) 

(INDICES ' M02V 0 N) ) ) ) ) ) ) 

(LIST ' KfcTRIXOA 

(INDICES ' M02 0 N) 

(INDEX ' V-BUF-PWR N) 

(INDICES ' M02WEAK 0 N) ) 

(LIST ' MATRIX1 

(APPEND (INDICES 'KLO 0 N) 

(APPEND (INDICES 'Mil 0 N) 

(INDICES ' Ml 2 0 N))) 

(INDEX ' REGS3 N) 

(CONS 'CLK 

(CONS 'TE 

(CONS (INDEX ' M02 (SUB1 N) ) 

(APPEND (INDICES 'M10V 0 N) 

(APPEND (INDICES 'Ml IV 0 N) 

(INDICES ' K12V 0 N) ) ) ) ) ) ) 

(LIST 'MATRIX2 

(APPEND (INDICES 'M20 0 N) 

(APPEND (INDICES 'M21 0 N) 

(INDICES ' M2 2 ON))) 

(INDEX 'REGS3 N) 

(CONS 'CLK 

(CONS 'TE 

(CONS (INDEX ' Ml 2 (SUB1 N) ) 

(APPEND (INDICES 'K20V 0 N) 

(APPEND (INDICES 'M21V 0 N) 

(INDICES ' H22V 0 N) ) ) ) ) ) ) 

(LIST 'DATA-OUT 

(APPEND (INDICES '00 0 N) 


(LIST 


(LIST 


(LIST 


(LIST 


(LIST 


(LIST 


(APPEND (INDICES '01 ON) 

(INDICES '02 0 N))) 

(INDEX ' REGS 3 N) 

(CONS ' CLK 

(CONS ' TE 

(CONS (INDEX ' H22 (S0B1 N) ) 

(APPEND (INDICES ' 00V 0 N) 

(APPEND (INDICES ' 01V 0 N) 

(INDICES '02V 0 K) ) ) ) ) ) ) 

' ICV-RXG 

(APPEND (INDICES ' ICVO 0 N) 

(APPEND (INDICES ' ICV1 0 N) 

(APPEND (INDICES ' ICV2 0 N) 

(INDICES ' ICV3 0 N)))) 

(INDEX 'PEGS 4 N) 

(CONS 'CLK 

(CONS 'TE 

(CONS (INDEX '02 (S0B1 N) ) 

(APPEND (INDICES ' ICVOV 0 N) 

(APPEND (INDICES ' ICV1V 0 N) 

(APPEND (INDICES ' ICV2V 0 N) 

(INDICES ' ICV3V 0 N) )))))) ) 

' ACT -REG 

(APPEND (INDICES 'AO 0 N) 

(APPEND (INDICES 'A1 0 N) 

(APPEND (INDICES r A2 0 N) 

(INDICES 'A3 ON)))) 

(INDEX ' REGS 4 N) 

(CONS 'CLK 

(CONS 'TE 

(CONS (INDEX ' ICV3 (SUB1 N) ) 

(APPEND (INDICES 'AOV 0 N) 

(APPEND (INDICES ' A1V 0 N) 

(APPEND (INDICES ' A2V 0 N) 

(INDICES ' A3V 0 N) )))))) ) 

' ICV-MAJ-EXISTSP -REG 
(INDICES ' ICV-MAJ-EXISTSP 0 3) 

(INDEX 'REG 3) 

(CONS 'CLK 

(CONS 'TE 

(CONS (INDEX 'A3 (S0B1 N) ) 

(INDICES ' ICV-MAJ-EXISTSPV 0 3))))) 

' ACT-MAJ-EXISTSF-REG 
(INDICES ' ACT-MAJ-SXISTSP 0 3) 

(INDEX 'REG 3) 

(CONS 'CLK 

(CONS 'TE 

(CONS (INDEX 'ICV-MAJ-EXISTSP 2) 

(INDICES ' ACT-MAJ-EXISTSPV 0 3))))) 

' G1 

(INDICES 'OOV 0 N) 

(INDEX ' TV -IT 3 N) 

(CONS 'SO 

(APPEND (INDICES ' SENSE 0 N) 

(CONS 'SI 

(APPEND (INDICES 'PI ON) 

(CONS ' S2 

(APPEND (INDICES 'M02 0 N) 

(INDICES '00 0 N) ))))))) 

' G2 

(INDICES '01V 0 N) 

(INDEX ' TV- 173 N) 

(CONS 'SO 

(APPEND (INDICES 'SENSE 0 N) 

(CONS 'SI 

(APPEND (INDICES 'PO 0 N) 

(CONS ' S2 

(APPEND (INDICES ' M02 0 N) 

(INDICES '01 0 N) ))))))) 


25 


(LIST ' G3 

(INDICES ' 02V 0 N) 

(INDEX ' TV -17 3 N) 

(CONS 'SO 

(APPEND (INDICES ' SENSE 0 N) 

(CONS 'SI 

(APPEND (INDICES 'PO 0 N) 

(CONS 'S2 

(APPEND (INDICES 'HOI 0 N) 

(INDICES '02 0 N) )))))) ) 

(LIST ' G4-M00V 

(INDICES 'MOOV 0 N) 

(INDEX 'TV- IP 

(TREE-NUMBER (MAKE -TREE Nj ) ) 

(CONS 'SI 

(APPEND (INDICES 'PO 0 N) 

(INDICES 'MOO 0 N)))) 

(LIST ' C4-M01V 

(INDICES ' M01V 0 N) 

(INDEX 'TV-IP 

(TREE-NUMBER (MAKE-TREE N) ) ) 

(CONS 'SI 

(APPEND (INDICES 'PI 0 N) 

(INDICES ' M01 0 N)))) 

(LIST ' G4-M02V 

(INDICES ' M02V 0 N) 

(INDEX 'TV-IP 

(TREE-NUMBER (MAKE-TREE N) ) ) 

(CONS ' SI 

(APPEND (INDICES 'P2 0 N) 

(INDICES ' M02 0 N) ) ) ) 

(LIST 'G5-K10V 

(INDICES ' M10V 0 N) 

(INDEX 'TV-IP 

(TREE-NUMBER (MAKE-TREE N) } ) 

(CONS 'S2 

(APPEND (INDICES 'PO 0 N) 

(INDICES ' M10 0 N) ) ) ) 

(LIST ' G5-M11V 

(INDICES * M11V 0 N) 

(INDEX ' TV- IP 

(TREE-NUMBER (MAKE-TREE N) ) ) 

(CONS ' S2 

(APPEND (INDICES 'PI 0 N) 

(INDICES 'Mil 0 N)))) 

(LIST ' G5-M12V 

(INDICES ' M12V 0 N) 

(INDEX 'TV-IP 

(TREE-NUMBER (MAKE-TREE N) ) ) 

(CONS ' S2 

(APPEND (INDICES 'P2 0 N) 

(INDICES ' Ml 2 0 N)))) 

(LIST * G4-M20V 

(INDICES 'M20V 0 N) 

(INDEX ' TV- IP 

(TREE-NUMBER (MAKE-TREE N) ) ) 

(CONS 'S3 

(APPEND (INDICES 'PD 0 It) 

^ (TS&iaS 'M20 0 N) ) ) ) 

(LIST 'G6-M21V 

(INDICES 'M2 IV 0 N) 

(INDEX ' TV-IP ‘ ~ 

(TREE -NUMBER (MAKE-TREE N) ) ) 

(CONS 'S3 - L 

(APPEND (INDICSS 'PI 0 N) 

(INDICES ' M21 0 N>))> 

(LIST 'G6-M22V 

(INDICTS 'IC2V ON) 

(INDEX T TV -IP 
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v 



II 


(TREE -NUMBER (MAKE-TREE N) ) ) 
(CONS 'S3 

(APPEND (INDICES 'P2 ON) 

(INDICES ' K22 0 N) ) ) ) 

(LIST '<57 

(CONS (INDEX 'ICV-MAJ-EXISTSPV1 0) 
(INDICES 'MJRTYO 0 N) ) 

(INDEX ' MAJORITY 3 N) 

(APPEND (INDICES 'MOO 0 N) 

(APPEND (INDICES ' HI 2 0 N) 

(INDICES ' M21 0 N)))) 

(LIST ' C8 

(CONS (INDEX ' ICV-MAJ-EXISTSPV1 1) 
(INDICES 'MJRTY1 0 N) ) 

(INDEX 'MAJORITY 3 N) 

(APPEND (INDICES 'M01 0 N) 

(APPEND (INDICES 'M10 0 N) 

(INDICES 'M22 0 N) ) ) ) 

(LIST ' G9 

(CONS (INDEX ' ICV-MAJ-EXISTSPVl 2) 
(INDICES ' MJRTY2 0 N) ) 

(INDEX 'MAJORITY 3 N) 

(APPEND (INDICES 'M02 0 N) 

(APPEND (INDICES 'Mil 0 N) 

(INDICES ' M20 0 N) ) ) ) 

(LIST 'G11-ICV0V 

(INDICES 'ICVOV 0 N) 

(INDEX ' TV -IF 

(TREE-NUMBER (MAKE-TREE N)>) 
(CONS ' S4 

(APPEND (INDICES 'MJRTYO 0 N) 
(INDICES 'ICVO 0 N) ))) 

(LIST ' Gll-ICVTV 

(INDICES 'ICV1V 0 N) 

(INDEX 'TV-IP 

(TREE-NUMBER (MAKE-TREE N) ) > 

(CONS ' S4 

(APPEND (INDICES * MJRTY1 0 N) 
(INDICES 'ICV1 0 N) ) ) ) 

(LIST ' G11-ICV2V 

(INDICES ' ICV2V 0 N) 

(INDEX ' TV-IP 

(TREE-NUMBER (MAKE-TREE N) ) ) 
(CONS ' S4 

(APPEND (INDICES ' MJRTY2 0 N) 
(INDICES ' ICV2 0 N)))) 

(LIST ' G11-ICV3V 

(INDICES * ICV3V 0 N) 

(INDEX ' TV-IT 

(TREE-NUMBER (MAKE-TREE N) } ) 
(CONS 'SO 

(APPEND (INDICES 'SENSE 0 N) 

(INDICES ' ICV3 0 N)))) 

(LIST ' G12-A0V 

(INDICES ' AOV 0 N) 

(INDEX 'TV-IE 

(TREE-NUMBER (MAKE-TREE N) ) ) 
(CONS ' S5 

(APPEND (INDICES ' ICVO 0 N) 
(INDICES 'AO 0 H) ) ) ) 

(LIST ' C12-A1V 

(INDICES ' A1V 0 N) 

(INDEX 'TV- IP 

(TREE -NUMBER (MAKE-TREE N) ) ) 
(CONS ' S5 

(APPEND (INDICES ' ICV1 0 N) 
(INDICES ' A1 0 N)))) 

(LIST ' G12-A2V 

(INDICES ' A2V 0 N) 
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(INDEX / TV-IP 

(TREE -NUMBER (MAKE-TREE N) ) ) 

(CONS ' S5 

(APPEND (INDICES ' ICV2 0 N) 

(INDICES ' A2 0 N}))) 

(LIST 'G12-A3V 

(INDICES ' A3V 0 N) 

( INDEX r TV- IF 

(TREE-NUMBER (MAKE-TREE N) ) ) 

(CONS ' S5 

(APPEND (INDICES ' ICV3 0 N) 

(INDICES 'A3 0 N)))) 

(LIST * G12-ACT-MAJ-EXISTS 

(INDICES ' ACT-MAJ-EXISTSPV 0 3) 

(INDEX ' TV- IF 

(TREE-NUMBER (MAKE-TREE 3))) 

(CONS ' S5 — ;T 

(APPEND (INDICES ' ICV-MAJ-KXISTSP 0 3) 

(INDICES 'ACT-MAJ-EXISTSP 0 3)))) 

(LIST ' G13 

(INDICES ' ICV-MAJ-EXISTSPV 0 3) 

(INDEX ' TV- IF 

(TREE-NUMBER (MAKE-TREE 3))) 

(CONS ' S4 

(APPEND (INDICES ' ICV-MAJ-EXISTSPV1 0 3) 

(INDICES ' ICV-MAJ-EXISTSP 6 3))))) 
' (CNT MATRIX 0 MATRIX1 MATRIX 2 DATA-OUT ICV-RSC ACT-REC 
ICV-MAJ-EXISTSP -REG ACT-MAJ-EXISTSP -REG) ) 


Appendix C. The NDL for LSTEP_8 

Below we display pan of a netlist that has been proved (by construction) to implement local -step for a 
data path width of 8. The syntax of the display is NDL, the Netlist Description Language of LSI Logic Inc. 
The complete netlist occupies about 9 pages. 

MODULE LSTEP_8; 

INPUTS CLX, TE , TX , RESET- , SENSE . 0 , SENSE . 1 , SENSE . 2 , SENSE . 3 , SENSE . 4 , SENSE . 5 , 

SENSE . 6, SENSE. 7,PO.O,P0.1 f P0.2,P0.3,P0.4,P0.5,P0.6,P0.7,P1.0,Pl.l, 

PI . 2, PI . 3, PI . 4, PI . 5 , PI . 6, PI . 7, P2 . 0, ?2 . 1, P2 . 2, P2 . 3 , P2 . 4, P2 . 5, ?2 . 6, P2 . 7; 

OUTPUTS 00.0,00.1,00.2,00.3,00.4,00.5,00.6,00.7,01.0,01.1,01.2,01.3,01.4, 
01.5,01.6,01.7,02.0,02.1,02.2,02.3,02.4,02.5,02.6,02.7, 

ACT-MAJ-EXISTSP . 0 , ACT-MAJ-EXISTSP . 1 , ACT-MAJ-EXISTSP . 2 , AO . 0 , AO . 1 , AO . 2 , 

A0.3,A0.4,A0.5,A0.6,A0.7,A1.0,A1.1,A1.2,A1.3,A1.4,A1.5,A1.6,A1.7, 

A2.0,A2.1,A2.2,A2.3,A2.4,A2.5,A2.6,A2.7,A3.0,A3.1,A3.2,A3.3,A3.4, 

A3. 5, A3. 6, A3. 7; 

LEVEL FUNCTION; 

DEFINE 

CNT (CO, Cl, C2) - C0UNTER3 (CLK,TE,TI, RESET-) ; 

GO (SO, S1NXAK, S2MEAK, S3, S4 , $5) - SPLIT-3-T0-6 (CO, Cl, C2 ) ; 

GOA (SI) - B-BUF-PWR (91WEAX) ; 

GOB (S2) • B-BUF-PWR (S2NXAX) ; 

MATRIX 0 (MOO . 0, MOO . 1, MOO . 2, MOO . 3, MOO . 4, MOO . 5, MOO . 6, MOO . 7, M01 . 0, M01 . 1, M01 . 2, 

M01 . 3 , M01 . 4 , M01 . 5 , M01 . 6, M01 . 7 , M02VEAK . 0 , M02WEAK . 1 , M02WEAK . 2 , 

M02WEAK . 3 , M02WEAX . 4 , MO 2MEAK . 5 , M02NEAK . 6 , M02HEAK . 7 ) 

« RXGS3_8 (CLK, TX, C2, MOOV. 0, MOOV. 1 , MOOV. 2, MOOV. 3, MOOV. 4, MOOV. 5, MOOV. 6, 

MOOV. 7, MO IV. 0, M01V. 1, MO IV. 2, M01V. 3, M01V. 4, MO IV 5 , MO IV. 6, MO IV. 7, 

M02V. 0, M02V. 1, M02V. 2, M02V. 3, M02V. 4, M02V. 5, M02V. 6, M02V. 7 } ; 

MATRZXOA (M02 . 0 , M02 . 1, M02 . 2, M02 . 3, M02 . 4, M02 . 5, M02 . 6, MO 2 .7) 

- V-BUF-PWR_8 (M02WEAX. 0, M02WEAK. 1, M02WEAK. 2,M02WEAK. 3, M02WEAK. 4, MO 2 WEAK. 5, 

“ M02NEAK . 6 , M02WEAK . 7) ; 3 

MATRIX1 (M10 .0,M10.1,M10.2,M10.3,M10.4,M10.5,M10.6, M10 . 7, Mil . 0, Mil .1, Mil . 2, 

WIT37IGI . 4, Mil . 5 , U1 . € f IG1 . 7 , M12 . 0 , M12.1,M12.2 , IG2.3, M12 . 4, M12 . 5 , 

M12 . 6, K12 . 7) 

- REGS3_8 (ClJt, TE, M02 . 7, M10V. 0, M10V. 1, M10V. 2, M10V. 3, M10V. 4, M10V. 5 , M10V. 6, 

M10V. 7 , Ml IV . 0 , M11V . r; M11V. 2,M11V. 3 , Mi IV. 4 , M11V. 5, M11V. 6, M11V. 7, 

M12V. 0, M12V. 1, M12V. 2, M12V. 3, M12V. 4 , M12V. 5, M12V. 6, M12V. 7) ; 



MATRIX2 (M20 . 0, M20 . 1,820. '2, M2 0 . 3 , H20 . 4, H20 . 5, M20 . 6, M20 . % M21 . 0, M21 . 1, M21 . 2, 

M21 . 3, M21 . 4 , M21 . 5, H21 . 6, M21 . 7, M22 .0,M22.1,M22.2,M22. 3, M22 . 4 , M22 . 5, 

M22 . 6, M22 . 7) 

■ REGS3 8 (CLIC, TE, M12 . 7, M20V. 0, M20V. 1 , M20V. 2, M20V. 3 , M20V. 4 , M20V. 5 , M20V. 6, 

~ N20V. 7, M2 IV. 0,M21V. 1, M21V. 2,M21V. 3, M21V. 4, M21V. 5, M21V. 6, M2 IV . 7 , 

M22V. 0, H22V . 1,M22V.2,M22V.3,M22V.4,M22V.5,M22V.6,M22V.7) ; 

DATA-OUT (00 . 0 , 00 . 1 , OO . 2 , 00 . 3 , OO . 4 , 00 . 5 , 00 . 6 , 00 . 7 f 01 . 0 , 01 . 1 , 01 . 2 , 01 . 3 , 01 . 4 , 

01 . 5 , 01 . 6 , 01 . 7 , 02 . 0 , 02 . 1 f 02 . 2 , 02 . 3 , 02 . 4 , 02 . 5 , 02 . 6 , 02 . 7 ) 

- REGS3_6 \CUL, TX,M22.7,OOV.O,OOV.1,OOV.2,OOV.3,OOV.4,OOV.5,OOV. 6,00V. 7, 

01V. 0, 01V. 1,01V. 2,01V. 3,01V. 4,01V. 5,01V. 6,01V. 7, 02V. 0, 02V. 1, 

02V. 2, 02V. 3, 02V. 4, 02V. 5, 02V. 6, 02V. 7) ; 

ICV-REG (ICVO . 0 , ICVO . 1 , ICVO . 2 , ICVO . 3 , ICVO . 4 , ICVO . 5 , ICVO . 6 , ICVO . 7 , ICV1 . 0 , 

ICV1 . 1 , ICV1 . 2, ICV1 . 3, ICV1 . 4, ICV1 . 5, ICV1 . 6, ICV1 . 7, ICV2 . 0, ICV2 . 1, 
ICV2.2, ICV2.3, ICV2.4, ICV2.5, ICV2.6, ICV2.7, ICV3.0, ICV3.1, ICV3.2, 

ICV3 . 3 , ICV3 . 4 , ICV3 . 5 , ICV3 . 6 , ICV3 . 7 ) 

- REGS 4_8 ( CLK , TE , 02 . 7 , ICVO V . 0 , ICVOV , 1 , ICVOV . 2 , ICVOV . 3 , ICVOV . 4 , ICVOV . 5 , 

ICVOV. 6, ICVOV. 7, ICV1V. 0, ICV1V. 1, ICV1V. 2, ICV1V. 3, ICV1V. 4, ICV1V. 5, 
ICVTV. 6, ICV1V. 7, ICV2V. 0, ICV2V.1, ICV2V. 2, ICV2V. 3, ICV2V. 4, ICV2V . 5, 
ICV2V . 6 , ICV2V . 7 , ICV3V . 0 , ICV3V. 1 , ICV3V . 2 , ICT3V . 3 , ICV3V . 4 , ICV3V . 5 , 
ICV3V. 6, ICV3V. 7) ; 

G9 (ICV-MAJ-EXISTSPV1 . 2 , MJRTY2 . 0 , KJRTY2 . 1 , MJHTY2 . 2 , MJRTY2 . 3 , MJRTY2 . 4 , MJRTY2 . 5 , 
HJRTY2 . 6 , MJRTY2 . 7 ) 

■ MAJORITY 3_8 (M02 . 0, M02 . 1, M02 . 2, M02 . 3,M02 . 4, H02.5,M02 . 6,M02. 7, mi . 0, mi .1, 

mi.2,mi.3,mi.4,mi.5,Mll.6,mi.7,M20.0,M20.1,M20.2,M20.3, 
M20.4,M20.5,M20. 6,M20.7) ; 

G1 1 -ICV2V ( ICV2V . 0 , ICV2V . 1 , ICV2V . 2 , ICV2V . 3 , ICV2V . 4 , ICV2V . 5 , ICV2V . 6 , ICV2V . 7 ) 

* TV- IP 8 (S4 , MJRTY2 . 0, KJRTY2 . 1 , MJRTY2 . 2, MJRTY2 . 3, MJRTY2 . 4 , RJRTY2 . 5, 

“ MJRTY2 . 6 , KJRTY2 . 7 , ICV2 . 0, ICV2 . 1, ICV2 . 2, ICV2 . 3, ICV2 . 4, ICV2 . 5, 

ICV2 . 6 , ICV2 . 7 ) ; 

G1 1 - ICV3V ( ICV3V . 0 , ICV3V . 1 , ICV3 V . 2 , ICV3V . 3 , ICV3V . 4 , ICV3V . 5 , ICV3V . 6 , ICV3V . 7 ) 

- TV- IF_8 ( SO , SENSE . 0 , SENSE . 1 , SENSE . 2 , SENSE . 3 , SENSE . 4 , SENSE . 5 , SENSE . 6 , 

~ SENSE . 7, ICV3 .0, ICV3 . 1, ICV3 . 2, ICV3 . 3, ICV3 . 4, ICV3 .5, ICV3 . 6, ICV3 . 7) ; 


G12 -A3V (A3V . 0 , A3V . 1 , A3V . 2 , A3V . 3 , A3V . 4 , A3V . 5 , A3V . 6 , A3V . 7 ) 

- TV-IF_8 (S5, ICV3 . 0, ICV3 . 1 , ICV3 .2, ICV3 . 3 , ICV3 . 4 , ICV3 .5, ICV3 . 6, ICV3 . 7 , A3 . 0, 

A3. 1, A3. 2, A3. 3, A3. 4, A3. 5, A3. 6, A3. 7) ; 

G1 2 -ACT -MAJ -EXISTS (ACT-MAJ-EXISTSPV. 0 , ACT-MAJ-EXISTSPV. 1, ACT-MAJ-EXISTSPV . 2) 
« TV-IF_14 (S5, ICV-MAJ-KXISTSP .0, ICV-HAJ-EXISTSP .1, ICV-MAJ-EXISTSP . 2 , 
ACT-MAJ-EXISTSP . 0 , ACT-MAJ-EXISTSP . 1 , ACT-MAJ-EXISTSP . 2 ) ; 

(313 ( ICV-MA J-EXI STSPV . 0 , ICV-MAJ-EXI STSPV . 1 , ICV-MAJ-EXISTSPV . 2 ) 

« TV-IF_14 (S4, ICV-MAJ-EXISTSP VI . 0 , ICV-MAJ-EXISTSPVl . 1 , ICV-KAJ-EXISTSPV1 . 2 , 
ICV-MAJ-EXISTSP . 0, ICV-MAJ-EXISTSP .1, ICV-MAJ-EXISTSP . 2) ; 

END MODULE; 

MODULE SPLIT- 3 -TO- 6; 

INPUTS CO, Cl, C2; 

OUTPUTS S0,S1,S2,S3,S4,S5; 

LEVEL FUNCTION; 

DEFINE 

GO(NCO) - IVA(CO); 

Gl(NCl) - IVA(Cl); 

G2 (NC2) - XVA (C2) ; 

G3 (SO) » AN3(NC0,NC1,NC2); 

G4(S1) - AN3(C0,NC1,NC2); 

G5(S2) - A»3(NC0,C1,NC2); 

G6 (S3) - AN3(C0,C1,NC2) ; 

G7(S4) « AN3(NC0,NC1,C2); 

G8(S5) - AN3(C0,NC1,C2); 

END MODULE; 

MODULE MAJORITY 3_8; 

INPUTS X.0,X.1,X.2,X.3,X.4,X.5,X.6,X.7,Y.0,Y.1,Y.2,Y.3,Y.4,Y.5,Y.6,Y.7,Z.0, 
Z.1,Z.2,Z.3,Z.4,Z.5,Z.6,Z.7; 

OUTPUTS MAJ-EXISTSP , A. 0, A. 1, A. 2, A. 3, A. 4, A. 5, A. 6, A. 7; 

LEVEL FUNCTION; 

DEFINE 
GO (EO) 
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- V-EQUAL_8(X.0,X.1,X.2,X.3,X.4,X.5,X.6,X.7,Y.0, Y.1,Y.2,Y.3,Y.4,Y.5,Y.6, 

Y. 7); 

G1(E1) 

• V- EQUAL 8(X.0,X.1,X.2,X.3,X.4,X.5,X.6,X.7,Z.0,Z.1,Z.2,Z.3,Z.4,Z.5,Z6. 

z.7); 

G2 (B2) 

> V-EQUA1_8(Y.0,Y.1,Y.2,Y.3, Y . 4, Y. 5, Y. «, Y. 7, Z . 0, Z . 1, Z . 2, Z . 3, Z . 4, Z . 5, Z . 6. 

Z. 7); 

G2A(ZER0.u, iiRO.l, ZERO. 2, ZERO. 3, ZERO. 4, ZERO. 5, ZERO. 6 , ZERO. 7) 

- V-XOR 8(X.0,X.1,X.2,X.3,X.4,X.5,X.6,X.7,X.0,X.1,X.2,X.3,X.4,X.5,X.6,X.7); 

G3 (M&J-EXISTSP) - OR3 (EO, El . E2) ; 

G4(C.0,C.l,C.2,C.3,C.4,C.5,C.6,j:.7) 

- TV-IF_8 (E2, Y. 0, Y. 1, Y. 2, Y . 3, Y. 4, Y. 5, Y. 6, Y. 1 , ZERO. 0, ZERO. 1, ZERO. 2, ZERO. 3, 

ZERO. 4, ZERO. 5, ZERO. 6, ZERO. 7) ; 

G5 (B.0,B.1,B.2,B.3,B.4,B.5,B.6,B.7) 

. rV-IF_8(El,X.0,X.l,X.2,X.3,X.4,X.5,X.6,X.7,C.0,C.l,C.2,C.3,C.4,C.5,C.6, 

C.7); 

G6 (A. 0,4.1, A. 2, A. 3, A. 4, A. 5, A. 6, A. 7) 

. TV-If_8{E0,X. 0,X.1,X.2,X.3,X.4,X.5,X. 6, X. 7,B. 0,B.1,B.2,B. 3,B. 4, B. 5, B. 6 , 

B . 7 ) ; 

END MODULE; 


Appendix D. Mechanically Produced Schematics 

Below we show the schematics produced by LSI Logic, Inc.’s design tool “liberate” from the NDL in 
Appendix C. We include the schematics for incrmt3, majority^ and lstep_8 only. These 
schematics are exhibited to emphasize the point that the NDL produced from our verified design can be 
processed by commercial design tools. This copyrighted material is used with the permission of LSI Logic, 
Inc. 
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